IN THE CLAIMS: 



1 . (Currently Amended) A computer program product for automatically determining if a 
packet is a new, exploit candidate, said program product comprising: 

a computer readable medium; 

first program instructions to determine if said packet is a known exploit or portion 
thereof; 

second program instructions to determine if said packet is addressed to a broadcast IP 
address of a network :iv&m>iterbi!0*d^ and 

third program instructions to determine if said packet is network administration traffic; 

fourth program instructio ns, responsive to said packet being a if said packet is said 

known exploit or portion thereof, addressed to a broadcast IP address of a nctwork,4>^vV-^ 
traffic or network administration traffic; to determine that said packet is not «emkfefed a new, 
exploit candidate; and 

fifth program instructions, responsive to said packet not being a 44^»t4yaeket4»ftefsmd 
known exploit or portion thereof, addressed to a broadcast IP address of a n etwork, "t*n«r=tk-tm 
traffiev or -nctwork administration traffic or another type of traffic known to be benign, to 
iete . mine and report that - said packet is a new.a a- exploit candidate; and wherein 

said first, second^mi third , fourth and fifth program instructions are embodied ^ wded 
on said medium. 
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2. (Currently Amended) A computer program product as set forth in claim 1 further 
comprising: 

sixth fotaftfj program instructions to determine if said packet is web crawler traffic; and 
wherein 

said fourth program instructions are responsive to i f-said packet being m frfrm4 known 
exploit or portion thereof, addressed to a broadcast 1 P address of a n etwork,--^-»te^^ -fptHin 
network administration traffic or web crawler traffic, to determine that said packet is not 
<:'- : ----<;: -v f a new, exploit candidate; and 

said fifth program in structi ons are responsive to tf-said packet ts-no t being a- aatd known 
exploit or portion thereof, addressed to a broadcast IP address of a n etwork, -{mv^ • ^Mtte 
network administration traffic or web crawler traffic, to determine that said packet is a nc.v.mt 
exploit candidate; and 

said sixthfe tertk program instructions arc embodied f et^mitxi on said medium. 

3. (Original) A computer program product as set forth in claim 1 wherein said first program 
instructions determine if said packet is a known exploit or portion thereof by searching said 
packet for a known signature of said known exploit. 

4. (Original) A computer program product as set forth in claim 1 wherein said first program 
instructions determine if said packet is a known exploit by comparing an identity of said packet 
to one or more identities, sent by an intrusion detection system, of respective packet(s) which 
said intrusion detection system determined to contain a known exploit or portion thereof. 

5. (Original) A computer program product as set forth in claim 1 wherein said packet was 
received by a computing device at an unused IP address, and said program product is executed at 
said computing device. 



10/650,440 



3 



END920030068US1 



6. (Currently Amended) A computer program product as set forth in claim 1 further 
comprising: f-^-^e-r-t"--t:- -----t----i"-"r- r^---" x .~ : ..:-. :t ; -t-v- 

sixth program instructions. rejgQP&iveJajaidJifth progra n ! ■■■>jvi-.. u-. :-sis determining that 

said packet is a new exploit candidate^.to. dglemiine..a signature of said packet or a sequence of 

v M ' .kl I'j h it - V { ) I. I i | U V h I v n )k < . \h< It UK' 1 it i . !^ JlJK 

tOJiUJldlDM 

said sixth program instructions are embodied on said medium. 

7. (Currently Amended) A computer program product as set forth in claim 6 wherein if said 
fourth program instmctions determine that said packet is not a new, exploit candidate, then a 
signature of said packet or a sequence of packets including said first packet is not detennined. 4- 

feartkyregram^ 



8. (Currently Amended) A computer program product as set forth in claim fr wherein said 
• - • ond-Htm'Ht program instructions determines if said packet is addressed to a broadcast IP 
address of said n o - \ not**-oK^ s v 
packet- : by comparing a destination IP address of said packet to a gateway IP address and 
netmask of said network whic h i-.lc ■ . ■ j .. JJ ■ : ■ o----. of said network. 

9. (Currently Amended) A computer program product as set forth in claim 1 wherein; 
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said second program instructions also d etermines if said packet has ^•••■••••-••••■•^•vv-f-f 

i^^ x {*. a ^..^-«:; v -4*^- lc .^ t ,.> rv ^ i * ; a protocol listed in e f saKf^rfrt-*^ a list of protocols assumed to 
be harmless network broadcast traffic 

said fourth pro gram instructions is responsive to said packet bein g a known exploit or 

portion thereof, addressed to a broadcast IP address of a network, network administration traffic 
or having a protocol listed in a list of protocols assumed to be harmless network broadcast 
traffic, to determine that said packet is not a new, exploit candidate; and 

said fifth program instructions is responsive to said packet not being a known exploit or 

portion thereof, addressed to a broadcast IP address of a network or network administration 

traffic and not having a protocol listed in a list of protocols assumed to be ban 1 s 

broadcast traffic, to determine and report that said packet is a new, exploit candidate . 

10. (Currently Amended) A computer program product as set forth in claim 1 wherein said 
third program instructions determine* if said packet is network administration traffic by 
comparing an IP protocol and IP address of said packet to a list of combinations of IP protocols 
and IP addresses assumed to be network administration traffic. 

1 1 . (Currently Amended) A computer program product as set forth in claim 2 wherein said 
sixthfenh program instructions determines if said packet is web crawler traffic by comparing an 
IP address of said packet to a list of IP addresses of known web crawlers. 
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12. (Currently Amended) A computer program product as set forth in claim 1 further 
comprising sixth program instructions, responsive to w he^em-tfsaid packet ts-not being * atd~a 
known exploit,, network broadcast traffic, m- addressed .to.a_broa ck H ? ad dress of a n etwork 

os osh.i tv pe uF 1 1 attic know n ru ho ix-nign. 4nnker-^>tnf t > -r ><■ ! H 
- -to identify a sequence of packets including the first said packet, said 
sequence of packets being a new, exploit candidate; and wherein 

said sixthfe rtfe program instructions are erobodie dr eeefded ' on said medium. 

13. (Currently Amended) A computer system for automatically determining if a packet is a 
new, exploit candidate, said system comprising: 

means for determining if said packet is a known exploit or portion thereof; 

means for determining if said packet is addressed to a broadcast IP address of a n etwork; 

means for determining if said packet is network administration traffic; wherein 

means, responsive to t f-said packet bejngts said known exploit or portion thereof, 
addressed to said broadcast IP address of said networMarndgasHraffte? or network 
administration traffic, for determining that said packet is not con s idered a new, exploit 
candidate; and 

means, respoi ah 'Jo said packet ts not being a saM known exploit or portion thereof, 
addressed to said broadcast IP address of said n etwork,% readca a t"tmffi ' e - " t y - network 
administration traffic or another type of traffic kno wn to be benign, for determining and 
reporting that; - said packet is a new, *m- exploit candidate. 
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14. (Currently Amended) A computer system as set forth in claim 13 further comprising: 

means for determining if said packet is web crawler traffic; and wherein 

said means for determining that said packet is not a new, exploit candidate determines 
that said pac ket is not a new exploit candidate if said packet is ^Hnt^^ 
'Sfeereefr ftetw^fc^ • - web crawler trafficj-s&id 



15. (Currently Amended) A computer system as set forth in claim 13 wherein said packet 
was received by said computer system in said network at an unused IP address. 



1 6 . (Currently Amended) A computer system as set forth in claim 13 further COTnjmsmg 
means, r es ponsive to said packet not being a new exploit candidate, for determinin g a signature 
or-,<iid packci or a .sequence of packets including the flrM -.aid packci. unci reporting said now. 
ex ploit candidate and said signature to an administrators 
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Claims 17-20 (Canceled) 



Please enter new claims 21-24, as follows: 

21 . (New) A computer program product for automatically determining if a packet is a new, 
exploit candidate, said program product comprising: 

a computer readable medium; 

first program instructions to determine if said packet is a known exploit or portion 
thereof; 

second program instructions to determine if said packet is addressed to a broadcast IP 
address of a network; 

third program instructions to determine if said packet has a protocol listed in a list of 
protocols assumed to be harmless broadcast traffic; 

fourth program instructions to determine if said packet is network administration traffic; 

fifth program instructions, responsive to said packet being a known exploit or portion 
thereof, addressed to a broadcast IP address of a network or network administration traffic or 
having a protocol listed in a list of protocols assumed to be harmless broadcast traffic, to 
determine that said packet is not a new, exploit candidate; and 

sixth program instructions, responsive to said packet not being a known exploit or portion 
thereof, addressed to a broadcast IP address of a network or network administration traffic and 
not having a protocol listed in a list of protocols assumed to be harmless broadcast traffic, to 
determine and report that said packet is a new, exploit candidate; and wherein 
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said first, second, third, fourth, fifth and sixth program instructions are embodied on said 
medium. 

22. (New) A computer program product as set forth in claim 21 further comprising: 

seventh program instructions to determine if said packet is web crawler traffic; and 
wherein 

said fifth program instructions are responsive to said packet being a known exploit or 
portion thereof, addressed to a broadcast IP address of a network, network administration traffic 
or web crawler traffic or having a protocol listed in a list of protocols assumed to be harmless 
broadcast traffic, to determine that said packet is not a new, exploit candidate; and 

said sixth program instructions are responsive to said packet not being a known exploit or 
portion thereof, addressed to a broadcast IP address of a network, network administration traffic 
or web crawler traffic or other traffic known to be benign or having a protocol listed in a list of 
protocols assumed to be harmless broadcast traffic, to determine that said packet is a new, 
exploit candidate; and 

said seventh program instructions are embodied on said medium. 

23. (New) A computer program product as set forth in claim 21 further comprising: 

seventh program instructions, responsive to said sixth program instructions determining 
that said packet is a new, exploit candidate, to determine a signature of said packet or a sequence 
of packets including the first said packet, and report said new, exploit candidate and said 
signature to an administrator; and wherein 

said seventh program instructions are embodied on said medium. 
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24. (New) A computer program product as set forth in claim 21 wherein said second 
program instructions determine if said packet is addressed to a broadcast IP address of said 
network by comparing a destination IP address of said packet to a gateway IP address and 
netmask of said network which identifies a broadcast IP address of said network. 
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